8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
48.8%
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2,
there is a bug in Wasmtime’s implementation of its pooling instance
allocator where when a linear memory is reused for another instance the
initial heap snapshot of the prior instance can be visible, erroneously to
the next instance. This bug has been patched and users should upgrade to
Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator
and disabling the memory-init-cow
.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
github.com/bytecodealliance/wasmtime/commit/2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0
github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf
launchpad.net/bugs/cve/CVE-2022-39393
nvd.nist.gov/vuln/detail/CVE-2022-39393
security-tracker.debian.org/tracker/CVE-2022-39393
www.cve.org/CVERecord?id=CVE-2022-39393